1. Using Machine Learning to Guess PINs from Video

    Researchers trained a machine-learning system on videos of people typing their PINs into ATMs:

    By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.

    This works even if the person is covering the pad with their hands.

    The article doesn’t contain a link to the original research. If someone knows it, please put it in the comments.

    Slashdot thread.

  2. Ransomware Attacks against Water Treatment Plants

    According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year.

    WWS Sector cyber intrusions from 2019 to early 2021 include:

    • In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
    • In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds. ...
  3. Missouri Governor Doesn’t Understand Responsible Disclosure

    The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.

    The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.

    […]

    According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages...

  4. Friday Squid Blogging: New Giant Squid Video

    New video of a large squid in the Red Sea at about 2,800 feet.

    As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

    Read my blog posting guidelines here.

  5. Security Risks of Client-Side Scanning

    Even before Apple made its announcement, law enforcement shifted their battle for backdoors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic backdoor, but it’s still a backdoor — and brings with it all the insecurities of a backdoor.

    I’m part of a group of cryptographers that has just published a paper discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about...

  6. Upcoming Speaking Engagements

    This is a current list of where and when I am scheduled to speak:

    • I’ll be speaking at an Informa event on November 29, 2021. Details to come.

    The list is maintained on this page.

  7. Recovering Real Faces from Face-Generation ML System

    New paper: “This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces.

    Abstract: Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern...

  8. Suing Infrastructure Companies for Copyright Violations

    It’s a matter of going after those with deep pockets. From Wired:

    Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didn’t terminate services for websites that infringed on the dressmakers’ copyrighted designs….

    [Judge] Chhabria noted that the dressmakers have been harmed “by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffs’ copyrighted images” and that they have “gone after the infringers in a range of actions, but to no avail — every time a website is successfully shut down, a new one takes its place.” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not — at least on this record — conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffs’ motion for summary judgment is denied and Cloudflare’s motion for summary judgment is granted.”...

  9. Airline Passenger Mistakes Vintage Camera for a Bomb

    I feel sorry for the accused:

    The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding — after an airline passenger mistook another traveler’s camera for a bomb, sources said Sunday.

    American Airlines Flight 4817 from Indianapolis — operated by Republic Airways — made an emergency landing at LaGuardia just after 3 p.m., and authorities took a suspicious passenger into custody for several hours.

    It turns out the would-be “bomber” was just a vintage camera aficionado and the woman who reported him made a mistake, sources said...

  10. The European Parliament Voted to Ban Remote Biometric Surveillance

    It’s not actually banned in the EU yet — the legislative process is much more complicated than that — but it’s a step: a total ban on biometric mass surveillance.

    To respect “privacy and human dignity,” MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of individuals in public spaces, saying citizens should only be monitored when suspected of a crime.

    The parliament has also called for a ban on the use of private facial recognition databases — such as the controversial AI system created by U.S. startup Clearview...

Copyright © 2021 • All Rights Reserved.Sensible Voice, LLC
1 High Street • Brandon, VT 05733 • Contact Us • Privacy Policy